Hi, all. Thanks in advance for you help.
I am working to integrate some RHEL7 servers to AD. In doing so it seems
clear that SSSD is the way to go. However, it looks like there are
basically (2) options:
1) use sssd-ad (id_provider=ad, access_provider=ad)
2) Use explicit LDAP and Kerberos providers
I would prefer to use the sssd-ad method because it is obviously simpler.
However, I am unclear what security is provided therein. Obviously,
Kerberos is pretty secure for authentication. However, when groups, etc.,
are retrieved from LDAP is that done over SSL/TLS? It is implied that using
the sssd-ad method is essentially a shorthand for other LDAP/Kerberos
settings and I can't find a complete listing of what those settings are.
If I configure the server to enforce STARTTLS is SSSD "smart enough" to
work with that if I use sssd-ad or would I need to go the LDAP+Kerberos
route in order to configure some of the TLS-related settings?
Thanks again,
-LJK

All;
I was recently looking at the man page for sssd-ldap and saw that several
of the options default to the 'openldap defaults'.
Based on this I was wondering:
1) Is there any requirement of SSSD on openldap client tools?
2) If openldap is NOT required will SSSD still use what would be the
openldap values or is it required to have the ldap.conf file present to
obtain these values?
3) If not #2 are there other defaults that SSSD uses or must we provide
values when we don't have ldap.conf in place?
Thanks,
-LJK

Hello all, hope all is well/happy holidays
Checked on the samba list and they directed me here.....
My issue is valid users in smb.conf containing an AD group
I have tried this on systems running cent7u2 and ubuntu trusty. These systems are running sssd. I can login with AD users and chown/chgrp file with AD groups. However, I can't get AD groups to work with valid users in the smb.conf for restricting share access. If I just set individual AD users, works just fine.
Also locally everything works as expected. For example I can chown a folder to be owned by an AD group with 2770. I can login into the host via passwd/kerberos ticket and chdir into that directly without issue, below the user in question is part of MC-Services, apologies not trying to be overly obvious.
drwxrwsr-x 3 appadmin MC-Services 4096 Dec 15 14:47 logs
Again singly listed AD users work with valid users. This kind of abstraction is nice so I don't have to tweak FS perms to "match" shared out access. Right now with the local FS perms above I can get into the share If I have the share setup as below
[logs]
comment = Server Logs
path = /logs
writable = no
valid users = jsmith
printable = no
So seems samba can handle the users, but not AD groups or can't get the info/membership for the AD groups. If I change the owner of the dir to be completely owned by appadmin, the testing user can no longer get into the share, make sense.
Any thoughts/help would be greatly appreciated.
thanks and regards
some info on samba vers on the centos host
samba-common-4.2.3-12.el7_2.noarch
samba-common-tools-4.2.3-12.el7_2.x86_64
samba-common-libs-4.2.3-12.el7_2.x86_64
samba-4.2.3-12.el7_2.x86_64
samba-libs-4.2.3-12.el7_2.x86_64
samba-client-libs-4.2.3-12.el7_2.x86_64
[root@Xsamba]# smbd -V
Version 4.2.3
>>>Here is the SAMBA config
[global]
workgroup = mc
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
security = ads
bind interfaces only = yes
interfaces=192.168.99.0/24
dedicated keytab file=/etc/krb5.keytab
password server = 192.168.1.2 192.168.1.3
realm = MC.FOO.COM
passdb backend = tdbsam
map to guest = Bad Uid
[homes]
comment = Home Directories
browseable = no
writable = yes
[logs]
comment = Server Logs
path = /logs
writable = no
#valid users = jsmith
valid users = @"MC\MC-Services"
printable = no

Hi,
I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases.
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows.
Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems.
I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways.
Thanks for your time.

Hi Everyone,
i have been able to get sssd to work so i can login with my AD credentials to a workstation and through ssh, however I am running into a problem. Whenever a new user tries to login to a ubuntu workstation for the first time it doesn't allow them. I am guessing the login screen doesn't contact the windows AD to check credentials (so maybe sssd hasn't been started yet). I currently have sssd managing the following services: pam, ssh, autofs, and nss. The workaround that I have found is to ssh to that machine from another machine with the AD credentials that I would like to use, and then when I reset the machine i am able to use those credentials at the login screen. Is there a better way?
Thanks,
Thomas